Does your practice have a written identity theft program?

How you can develop an identify theft program that complies with Red Flags rule
source-image
May 01, 2009

With small-animal practitioners deferring payments and large-animal veterinarians billing their clients, there is no doubt that the "Red Flags" provision of the Fair and Accurate Credit Transactions Act (FACTA), which became effective May 1, applies to the veterinary profession.

The Red Flags Rule requires veterinary practices and other entities that defer payments or extend credit to develop, implement and administer a written Identity Theft Prevention Program.

This program must include the following four basic elements, which together create a framework to address the threat of identity theft:

  • FIRST, your program must include reasonable measures to identify the "red flags" of identity theft that you may run across in your day-to-day operations. Red flags are suspicious patterns or practices, or specific activities, that indicate the possibility of identity theft. For example, if a client is paying for services with a check, you may ask for his or her driver's license in order to validate physical appearance, address and signature.
  • SECOND, your program must be designed to detect the red flags you've identified. For example, if you've identified fake ID's as a red flag, you must have measures in place to detect possible fake, forged or altered identifications.
  • THIRD, your program must spell out the actions you'll take when you detect red flags. For example, if a staff member discovers a client's check carelessly placed in the medical record, they must follow the red-flag directives to address the threat and safeguard the check. And they must report the violation to the senior staff member in charge of the program.
  • FOURTH, because identity theft is an ever-changing threat, you must address how you will re-evaluate your program yearly to address new risks.

The Red Flags Rule is an extension of your data-security plan that protects clients' and staff members' personal data.

The rule contains guidelines for setting up a program, but does not tell you specifically what to include. However, it does require that you address five key categories of red flags or warning signs:

1. Alerts, notifications and warnings from a credit reporting bureau

2. Suspicious documents

3. Suspicious personnel identifying information

4. Suspicious account activity

5. Notices from clients, victims of identity theft or law-enforcement authorities about possible identity theft.

Which categories apply to veterinary practices? (Answer: 2, 3, and 5)

Now let's look at how the Red Flags Rule applies to the following experiences many of us may have encountered in our practices:

1. A client moving from New York to Florida asks you to fax their pet's medical record to a veterinary practice in Florida. Any ID theft red flags here?

  • If there is any private personal information, such as driver's license number, checking information or credit/debit card information about the client within the pet's medical record, then you must first remove this information before faxing the record.

2. A client who can't pay a bill in full asks to make payments over time with multiple checks. What are the red flags?

  • Because this is a form of deferred payment the rule covers, you must take steps to safeguard the checks during the "holding process."

3. A client's daughter brings in the family pet because of a urinary infection. Your diagnostic work-up and medical treatment exceed the amount of cash the client gave her daughter for the treatment. Your receptionist contacts the client, who gives her credit-card information over the phone. What are the red flags in this situation?

  • Although accepting payment by credit card does not fall under the Red Flags Rule per se, there are potential identity-theft risks with this scenario.